Generating a list of computers or files affected by the Shh/Updater-B False positive from the console database

N°Id de l'article :
118324

Mis à jour :
09 mars 2015

This article describes how to create a text file listing managed endpoint computers that may be affected by the 'Shh/' false positive mentioned here in our advisory article. It also includes a batch file which will list files where an action has been taken for any 'Shh/' detection.

Note: This article may not longer be relevant. If you are still suffering wither detection or alerts of Shh/Updater-B, it is recommended you contact Support for the best course of action.

Known to apply to the following Sophos product(s) and version(s)

Enterprise Console

What To Do

On your Sophos Management server download batch file fpc.bat and save it to a directory of your choosing.

Execute the batch file from a command prompt by first changing directory to where the file was saved to, then run the following: fpc.bat > FpWithoutFix.txt

Once the command completes, open FpWithoutFix.txt to see the computers which have 'agen-xuv.ide' but don't have 'javab-jd.ide'. This list of computers should then be resolved as per KBA 118311.

An additional batch file has been developed which can be used to create a report of files where an action has been taken, e.g. 'Deleted' or 'Moved'.

On your Sophos Management server download the file fpdf.bat and save it to a directory of your choosing.

Execute the batch file from a command prompt by first changing directory to where the file was saved to, then run the following: fpdf.bat > FpActionedFiles.txt

Once the command completes, open FpActionFiles.txt to see the files upon which an action was taken, if the Move or Delete cleanup options were selected. In the case of files that were moved, please see KBA 118323.